License in Spring Boot parent is applied to generated projects with Maven
See original GitHub issueI used https://start.spring.io/ to create 2.5.0 template Maven project:
To my surprise the created project declares a bit strange licensing information. The license is Apache for example:
demo$ mvn help:effective-pom | grep licenses -C 2
<description>Demo project for Spring Boot</description>
<url>https://spring.io/projects/spring-boot/demo</url>
<licenses>
<license>
<name>The Apache Software License, Version 2.0</name>
<url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
</license>
</licenses>
<developers>
<developer>
You may be inclined to discard this report saying that the generated pom.xml
doesn’t have such licensing information and that’s just the effecitve pom inheriting the license from the parent pom. True, but for various tools it’s the effective pom that matters!
I’ve discovered this issue because my IDE started to insert Apache license headers into newly created files in the project. Why? Because it asked mvn help:effective-pom
for project object model. The model claims the project has Apache license.
Should I take the generated project and use mvn deploy
- it would be uploaded into Maven central or any other Nexus, Artifactory repository under the Apache license.
Should some hacker break in and steal my code and then claim hey well the code is apache licensed so whatever, how am I supposed to defend? Shall I argue that spring initializr assigned Apache license to my code without letting me know?
I can easily fix my generated pom.xml
by adding:
<licenses>
<license>
<name>license of your choice</name>
</license>
</licenses>
as such direct declaration overrides anything inherited from parent projects. However I wanted to bring this issue to your attention as it seems to have interesting consequences.
Issue Analytics
- State:
- Created 2 years ago
- Comments:5 (2 by maintainers)
Top GitHub Comments
FWIW defining empty elements as mentioned by @JaroslavTulach is what the Helidon team decided. You might want to check with them for pros & cons of that approach.
The (rejected) suggestion of #1017 to include
in the generated project would be my solution as well.